INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Several remote code execution vulnerabilities exist in the way Microsoft Excel: 1) processes a VBA Performance Cache; 2) an improper memory allocationwhenloading Excel objects; and 3) a formula parsing vulnerability when parsing Microsoft Excel documents containing a specially crafted formula embedded inside a cell. |
| PLATFORM: | Excel 2000, 2002 (all editions) Excel 2003 and Excel Viewer 2003 (all editions) Excel 2007, Excel Viewer, and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (all editions) Office SharePoint Server 2007 (all editions) Office 2004, 2008 for Mac Open XML File Format Converter for Mac |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
5.1 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-003.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS08-057.mspx |
| CVE: | CVE-2008-3477 CVE-2008-3471 CVE-2008-4019 |
REVISION HISTORY:
10/29/2008 - revised T-003 to reflect changes Microsoft has made in MS08-057 where
they changed the Systems Management Server detection and deployment
summary to "yes" for all supported versions of Microsoft Office Excel
Viewer 2003 in the Detection and Deployment Tools and Guidance section.
This is an informational change only. There were no changes to the
security update binaries or detection logic.
10/30/2008 - revised T-003 to reflect changes Microsoft has made in MS08-057 where
they added an entry to the FAQ section to explain any additional
security features included in this update for Microsoft Office 2003
Service Pack 2; added missing entries for Excel 2003 Service Pack 3
to the Detection and Deployment Tools and Guidance section; and
corrected references to Windows Installer Redistributable in the
Security Update Deployment section.
[***** Start Microsoft Security Bulletin (MS08-057) *****]
Version: 1.2
This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported editions of Microsoft Office Excel 2000 and rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses these vulnerabilities by modifying the way that Microsoft Excel performs validations when opening Excel files. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Office Suite and Other Software | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
Microsoft Office 2000 Service Pack 3 |
Excel 2000 Service Pack 3 |
Remote Code Execution |
Critical |
|
Microsoft Office XP Service Pack 3 |
Excel 2002 Service Pack 3 |
Remote Code Execution |
Important |
|
Microsoft Office 2003 Service Pack 2 |
Excel 2003 Service Pack 2 |
Remote Code Execution |
Important |
|
Microsoft Office 2003 Service Pack 3 |
Excel 2003 Service Pack 3 |
Remote Code Execution |
Important |
|
2007 Microsoft Office System |
Excel 2007 |
Remote Code Execution |
Important |
|
2007 Microsoft Office System Service Pack 1 |
Excel 2007 Service Pack 1 |
Remote Code Execution |
Important |
|
Microsoft Office Excel Viewer 2003 |
|
Remote Code Execution |
Important |
|
Microsoft Office Excel Viewer 2003 Service Pack 3 |
|
Remote Code Execution |
Important |
|
Microsoft Office Excel Viewer |
|
Remote Code Execution |
Important |
|
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats |
|
Remote Code Execution |
Important |
|
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 |
|
Remote Code Execution |
Important |
|
Microsoft Office SharePoint Server 2007* |
|
Remote Code Execution |
Important |
|
Microsoft Office SharePoint Server 2007 Service Pack 1* |
|
Remote Code Execution |
Important |
|
Microsoft Office SharePoint Server 2007 x64 Edition* |
|
Remote Code Execution |
Important |
|
Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1* |
|
Remote Code Execution |
Important |
|
Microsoft Office 2004 for Mac |
|
Remote Code Execution |
Important |
|
Microsoft Office 2008 for Mac |
|
Remote Code Execution |
Important |
|
Open XML File Format Converter for Mac |
|
Remote Code Execution |
Important |
None |
*This update applies to servers that have Excel Services installed, such as the default configuration of Microsoft Office SharePoint Server 2007 Enterprise and Microsoft Office SharePoint Server 2007 For Internet Sites. Microsoft Office SharePoint Server 2007 Standard does not include Excel Services.
Non-Affected Software
| Office and Other Software |
Microsoft Works 8.0 |
Microsoft Works 8.5 |
Microsoft Works 9.0 |
Microsoft Works Suite 2005 |
Microsoft Works Suite 2006 |
Microsoft Office SharePoint Server 2003 Service Pack 3 |
 |
Severity Ratings and Vulnerability Identifiers |
|
|
Calendar Object Validation Vulnerability - CVE-2008-3477 |
File Format Parsing Vulnerability - CVE-2008-3471 |
Formula Parsing Vulnerability - CVE-2008-4019 |
Microsoft thanks the following for working with us to help protect customers:
| • | Wushi, working with TippingPoint and the Zero Day Initiative, for reporting the File Format Parsing Vulnerability (CVE-2008-3471). |
| • | Lionel d'Hauenens of Labo Skopia working with the iDefense VCP for reporting the Calendar Object Validation Vulnerability (CVE-2008-3477). |
| • | Joshua J. Drake of iDefense for reporting the Calendar Object Validation Vulnerability (CVE-2008-3477). |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (October 14, 2008): Bulletin published. |
| • | V1.1 (October 15, 2008): Changed the Systems Management Server detection and deployment summary to "yes" for all supported versions of Microsoft Office Excel Viewer 2003 in the Detection and Deployment Tools and Guidance section. This is an informational change only. There were no changes to the security update binaries or detection logic. |
| • | V1.2 (October 29, 2008): Added entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update, to explain any additional security features included in this update for Microsoft Office 2003 Service Pack 2. Added missing entries for Excel 2003 Service Pack 3 to the section, Detection and Deployment Tools and Guidance. Finally, corrected references to Windows Installer Redistributable in the section, Security Update Deployment. This is an informational change only. There were no changes to the security update binaries. |
[***** End Microsoft Security Bulletin (MS08-057) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/